the log is parsed in bad way.
that's the props.conf:
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Data:\s\d{14}
MAX_EVENTS = 256
TRUNCATE = 10000
TIME_PREFIX = ^Data:\s
TIME_FORMAT = %d%m%Y%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 25
that's the log:
Data: 29052020113001
Numero file in /data/In/ = 0
Numero file in /data/In/IMS/ = 0
Numero file in /data/archive/ = 7
Processi:
a is running
b is running
platform is running
-Controllo sftp
-pippo:
Connected to .
sftp> bye
-pluto:
Connected to .
sftp> bye
-casa:
Connected to .
sftp> bye
-SMC:
Connected to .
sftp> bye
-Datalake:
Connected to .
sftp> bye
-Controllo System Log ultime 48h
no rows selected
i need to have all this log in one splunk event. with that configuration, splunk parse the log in two events:
... View more